The M365 Monitoring and Response service uses Microsoft Sentinel to provide insights into the Microsoft 365 ecosystem by tracing and analysing operations in SharePoint, OneDrive, Teams, and Exchange data.
After confirming you have the necessary prerequisite, the most important step is determining if your agency requires additional support to complete installation and configuration of M365.
Prerequisites
Confirm that your agency or organisation is a participant in the Queensland Government Microsoft E3/E5 Enterprise Licence Agreement before you apply to access this service.
Assisted Onboarding
We expect most Queensland Government agencies will have sufficient resources to implement Microsoft Sentinel to a minimum configuration within their own agency.
However, if your agency doesn’t have the capacity or capability to install and configure Microsoft Sentinel, you can make a request to the Queensland Government Chief Information Security Officer (QGCISO) who can authorise the provision of external resources to support your team.
Complete the Microsoft 365 monitoring and response service application form to make this request to the QGCISO.
In-house onboarding and configuring data sources
Refer to the Microsoft Quick-start guide for detailed instructions on how to deploy a local instance of Sentinel within your agency.
Follow the instructions in the Data Sources Setup Guide on how to onboard Data or Log sources.
To enable this service with a whole of government view, a minimum configuration of Sentinel is required at the agency level. This means installing free-tier Microsoft data sources as detailed in the table below.
Free-Tier Data Sources
Name | Connector | License |
|---|---|---|
Azure activity Logs | Azure Activity Connector | E5 |
Office 365 Audit Logs | Office 365 Connector | E3/E5 |
Alerts from Microsoft | Microsoft Defender for Cloud Connector | E5 |
Alerts from | Microsoft 365 Defender (Preview) Connector | E5 |
Alerts from Microsoft | Microsoft 365 Defender (Preview) Connector | E5 |
Alerts from Microsoft | Microsoft 365 Defender (Preview) Connector | E5 |
Alerts from Microsoft | Microsoft 365 Defender (Preview) Connector | E5 |
Alerts from Microsoft | Microsoft 365 Defender (Preview) Connector | E5 |
Other optional data sources of interest | ||
Name | Connector | License |
Message trace logs | Refer page 7 in Setup Guide | E3 or E5 |
Connect to Lighthouse (Sentinel of Sentinels)
Once Sentinel has been configured in your agency, follow the final steps below to connect to the Whole of Government Microsoft Lighthouse, also known as Sentinel of Sentinels (SoS).
- Complete the application form to request onboarding.
- The CITEC Service Desk team will action the application and provide you with a template and a parameter file that will be used in the next step.
- Visit the Microsoft PowerShell resource page and use the script detailed under heading "deploy a template with a separate parameter file" to execute the two configuration files provided by CITEC.
Once you have completed the above, contact the CITEC Service Desk at service@citec.com.au so they can confirm you have been successfully on-boarded to Sentinel of Sentinels.